Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Web Components Chapter 17.

Published byBuck Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Web Components Chapter 17."— Presentation transcript:

1 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Web Components Chapter 17

2 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Objectives Describe the functioning of the SSL/TLS protocol suite. Explain web applications, plug-ins, and associated security issues. Describe secure file transfer options. Explain directory usage for data retrieval. Explain scripting and other Internet functions that present security concerns.

3 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Objectives (continued) Use cookies to maintain parameters between web pages. Examine web-based application security issues.

4 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Key Terms Active Server Pages (ASP) ActiveX ASP.NET Authenticode Buffer overflow Code signing Common Gateway Interface (CGI) Cookie File Transfer Protocol (FTP) Hypertext Markup Language (HTML) Inlining Internet Engineering Task Force (IETF) Java

5 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Key Terms (continued) JavaScript Lightweight Directory Access Protocol (LDAP) PHP Plug-in Secure Sockets Layer (SSL) Server-side scripting SSL stripping attack Transport Layer Security (TLS) Uniform Resource Locator (URL) X.500

6 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Introduction Before the Web, plenty of methods were used to perform user tasks. – File Transfer Protocol (FTP) was used to move files, and Telnet allowed users access to other machines. What was missing was the common architecture brought by Berners-Lee: – A common addressing scheme, built around the concept of a Uniform Resource Locator (URL) – The concept of linking documents to other documents by URLs through the Hypertext Markup Language (HTML)

7 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Current Web Components and Concerns Security concerns can be grouped into three main tasks: Securing a server that delivers content to users over the Web Securing the transport of information between users and servers over the Web Securing the user’s computer from attack over a web connection

8 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Web Protocols Requirements for computer communications are handled through protocols. – Agreed-upon sets of rules that allow different vendors to produce hardware and software that can interoperate with hardware and software developed by other vendors – Very important and form the basis by which all the separate parts can work together – Specific instantiation of protocols done through hardware and software components

9 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Encryption (SSL and TLS) Secure Sockets Layer (SSL) is a general-purpose protocol developed by Netscape for managing the encryption of information being transmitted over the Internet. – The Internet Engineering Task Force (IETF) embraced SSL in 1996 through a series of RFCs and named the group of RFCs Transport Layer Security (TLS). – SSL and TLS are essentially the same, although not interchangeable. – SSL is dead and TLS is the path forward, although everyone calls it SSL.

10 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Encryption (SSL and TLS) (continued) Goal of TCP is to send an unauthenticated, error-free stream of information between two computers. SSL/TLS adds message integrity and authentication functionality to TCP through the use of cryptographic methods. Cryptographic methods are an ever-evolving field. – Because both parties must agree on an implementation method, SSL/TLS has embraced an open, extensible, and adaptable method to allow flexibility and strength.

11 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.1 IE 11 security options

12 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. How SSL/TLS Works An overview explains how SSL/TLS works. – The process begins with a client request for a secure connection and a server’s response. – For the client and server to communicate, both sides must agree on a commonly held protocol. SSL v1, v2, v3, or TLS v1, v1.1, v1.2 – Commonly available cryptographic algorithms include Diffie-Hellman and RSA. – The next step is to exchange certificates and keys as necessary to enable authentication.

13 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. How SSL/TLS Works (continued) Once authentication is established, the channel is secured with symmetric key cryptographic methods and hashes. – Typically RC4 or 3DES for symmetric key and MD5 or SHA-1 for the hash functions. The authenticity of the server and possibly the client has been established, and the channel is protected by encryption against eavesdropping.

14 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. TLS handshake

15 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. How SSL/TLS Works (continued) Each packet is encrypted using the symmetric key before transfer across the network, and then decrypted by the receiver. The use of certificates could present a lot of data and complication to a user. – Fortunately, browsers have incorporated much of this desired functionality into a seamless operation.

16 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. How SSL/TLS Works (continued) Once you have decided always to accept code from XYZ Corporation, subsequent certificate checks are handled by the browser. The ability to manipulate certificate settings is under the Options menus in both Internet Explorer and Mozilla Firefox.

17 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.2 Internet Explorer certificate management options

18 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.3 Internet Explorer certificate store

19 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.4 Firefox certificate options

20 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.5 Firefox certificate store

21 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. How SSL/TLS Works (continued) Once a communication is in the SSL/TLS channel, it is very difficult to defeat the SSL protocol Before data enters the secured channel, however, defeat is possible. – A Trojan program that copies keystrokes and echoes them to another TCP/IP address in parallel with the intended communication can defeat SSL/TLS, for example, provided that the Trojan program copies the data prior to SSL/TLS encapsulation.

22 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. SSL/TLS man-in-the-middle attack

23 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. The Web (HTTP and HTTPS) HTTP is used for the transfer of hyperlinked data over the Internet, from web servers to browsers. When a secure connection is needed, SSL/TLS is used and appears in the address as https://. If the protocol is https:, your connection is secure. If the protocol is http:, then the connection is carried by plaintext for anyone to see.

24 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.6 High-assurance notification in Internet Explorer

25 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.7 High-assurance notification in Firefox

26 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. The Web (HTTP and HTTPS) (continued) To combat a variety of attacks, in 2006 the SSL/TLS landscape changed with the advent of extended validation certificates and high security browsers. – These changes provide visual cues to the user when high assurance certificates are being used as part of a secure SSL/TLS connection. The objective of enabling cryptographic methods in this fashion is to make it easy for end users to use these protocols. SSL/TLS is designed to be protocol agnostic.

27 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. HTTPS Everywhere With a variety of encryption technologies available, managing the resources for HTTPS connections is much easier, and a case has been made by many in security that all web connections should be HTTPS. This has resulted in the HTTPS Everywhere movement. – HTTPS Everywhere would go a long way for privacy, because it would prevent data snooping. – HTTPS Everywhere would prevent many man-in-the- middle attacks, such as SSL stripping.

28 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. HTTP Strict Transport Security HTTP Strict Transport Security (HSTS) is an IETF standard and a mechanism to enforce rules to prevent browsers from downgrading security when accessing a site. HSTS was created in response to a series of attack profiles. – The SSL stripping attack works on both SSL and TLS by transparently converting the secure HTTPS connection into a plain HTTP connection, removing the transport layer encryption protections.

29 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Directory Services (DAP and LDAP) A directory is designed and optimized for reading data, offering very fast search and retrieval operations. To enable interoperability, the X.500 standard was created as a standard for directory services. – The primary method for accessing an X.500 directory is through the Directory Access Protocol (DAP). Lightweight Directory Access Protocol (LDAP) contains the most commonly used functionality.

30 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Directory Services (DAP and LDAP) (continued) SSL/TLS LDAP – SSL/TLS provides several important functions to LDAP services: Establishes the identity of a data source through the use of certificates. Provides for the integrity and confidentiality of the data being presented from an LDAP source. – Interoperability is a function of correct setup. – Once an LDAP server is set up to function over an SSL/TLS connection, it operates as it always has.

31 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. File Transfer (FTP and SFTP) File Transfer Protocol (FTP) is an application-level protocol that operates over a wide range of lower- level protocols. – FTP is embedded in most operating systems and provides a method of transferring files from a sender to a receiver. – FTP clients initiate transactions and FTP respond to transaction requests. Clients for FTP on a PC can range from an application program, to the command-line FTP program in Windows/DOS to most browsers.

32 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. File Transfer (FTP and SFTP) (continued) Blind FTP (anonymous FTP) – In FTP, a standard account called anonymous exists. It allows unlimited public access to the files. It is commonly used for unlimited distribution. On a server, access permissions can be established to allow only downloading or only uploading or both. FTP servers present a security risk so it is typically not permitted on workstations, and disabled on servers without need for this functionality.

33 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. File Transfer (FTP and SFTP) (continued) SFTP – FTP operates in a plaintext mode. – Secure FTP (SFTP) combines both the Secure Shell (SSH) protocol and FTP to allow confidential transfer. – SFTP operates as an application program that encodes both the commands and the data being passed and requires SFTP to be on both the client and the server. – SFTP is not interoperable with standard FTP. – The server must be enabled with the SFTP program, and then clients can access the server, provided they have the correct credentials.

34 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Vulnerabilities The use of protocols such as TLS can result in complacency. – Using TLS and other encryption methods will not guard against your credit card information being “lost” by a company with which you do business. The key to understanding what is protected and where it is protected is to understand what these protocols can and cannot do.

35 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Code-Based Vulnerabilities The idea of extending browser functions through plug-ins became a standard. – The opportunity exists for these applications or plug-ins to include malicious code that performs actions not desired by the end user. – Web browser malicious code is a major tool for computer crackers to use to obtain unauthorized computer access. – Whether delivered by HTML based e-mail, by getting a user to visit a web site, or even delivery via an ad server, the result is the same: malware performs malicious tasks in the browser environment.

36 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Buffer Overflows One of the most common exploits used to hack into software is the buffer overflow. – The buffer overflow vulnerability is a result of poor coding practices on the part of software programmers. – This occurs when an application can accept more input than it has assigned storage space and the input data overwrites other program areas.

37 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Java Java is a computer language invented by Sun Microsystems as an alternative to Microsoft’s development languages. – Designed to be platform-independent and based on C – Offered a low learning curve and a way of implementing programs across an enterprise – Found itself to be a leader in object-oriented programming languages – Operates through an interpreter called a Java Virtual Machine (JVM) on each platform

38 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Java (continued) Reliance on an interpretive step has led to performance issues. Security is not a built-in function but an afterthought implemented independently of the language core. Java has safety features, but safety is not security. – A malicious Java program can cause significant damage. Sun provides different levels of security. – Do not to run Java programs at all. – Restrict Java program functionality when the program is not run directly from the system’s hard drive.

39 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. JavaScript JavaScript is a scripting language developed by Netscape and designed to be operated within a browser instance. – The primary purpose is to enable features such as validation of forms. – Enterprising programmers found many other uses for JavaScript, such as manipulating the browser history files, now prohibited by design. – JavaScript runs within the browser and the code is executed by the browser itself. This has led to compatibility problems.

40 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.8 Java configuration settings in Internet Explorer

41 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.9 Security setting functionality issues

42 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. JavaScript (continued) JavaScript's lack of a comprehensive security model left some security holes. – A form could submit itself via e-mail to an undisclosed recipient, either eavesdropping, spamming, or causing other problems. Most browsers do not have a mechanism to halt a running script short of aborting the browser instance. – This may not be possible if the browser has stopped responding to commands.

43 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. JavaScript (continued) Malicious JavaScripts can do many things. – Opening two new windows every time you close one, each with the code to open two more. There is no way out of this one, short of killing the browser process from the operating system. JavaScripts can also trick users into thinking they are communicating with one entity when in fact they are communicating with another.

44 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. ActiveX ActiveX is the name given to a broad collection of application programming interfaces (APIs), protocols, and programs developed by Microsoft to download and execute code automatically over an Internet- based channel. – The code is bundled together into an ActiveX control with an.ocx extension. – ActiveX is a tool for the Windows environment and can be extremely powerful. – Its range of abilities give ActiveX a lot of power, but this power can be abused.

45 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.10 ActiveX security settings in Internet Explorer

46 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. ActiveX (continued) To enable security and consumer confidence in downloaded programs such as ActiveX controls, Microsoft developed Authenticode. – A system that uses digital signatures and allows Windows users to determine who produced a specific piece of code and whether or not the code has been altered. – Safety and security are different things, and Authenticode promotes neither in reality.

47 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. ActiveX (continued) Authenticode does not identify whether a piece of code will cause damage to a system, nor does it regulate how code is used. – A perfectly safe ActiveX control under one set of circumstances may be malicious if used improperly. Critics argue that code signing is not a panacea for security issues and that marketing it as doing more than it really does is irresponsible.

48 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Securing the Browser Added features means weaker security. No browser is 100 percent safe. Currently Firefox coupled with the NoScript plug-in provides good protection. – Firefox will not execute ActiveX, so that threat vector is removed. – The NoScript plug-in allows the user to determine from which domains to trust scripts.

49 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. CGI The Common Gateway Interface (CGI) was the original method for having a web server execute a program outside the web server process, yet on the same server. – The programs can be written in a number of languages. – The scripted programs embrace the full functionality of a server. – Poorly written scripts can cause unintended consequences at runtime and their defects are not always obvious. CGI is an outdated and mostly retired technology.

50 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Server-Side Scripts CGI has been replaced in many web sites through newer server-side scripting technologies such as Java, Active Server Pages (ASP), ASP.NET, and PHP. – These technologies operate in much the same fashion as CGI: they allow programs to be run outside the web server and to return data to the web server to be served to end users via a web page. – The term server-side script is actually a misnomer, as these are actually executable programs that are either interpreted or run in virtual machines. – These technologies have stronger security models than CGI.

51 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Server-Side Scripts (continued) Each technology is based on a different language. – Results in a steeper learning curve Must adhere to programming fundamentals. – Use well designed and well written code as buffer overflows are still an issue. – Basic security problems associated with incorporating open-ended user input into code still exist. – Understanding and qualifying user responses before blindly using them programmatically is essential to the security of a system.

52 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Cookies Cookies are small chunks of ASCII text passed within an HTTP stream to store data temporarily in a web browser instance. A cookie is a series of name-value pairs that is stored in memory during a browser instance. – Expires, Domain, Path, and Secure Because cookies are stored on a user’s machine in a form that will allow simple manipulation, they must always be considered suspect and are not suitable for use as a security mechanism.

53 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.11 Chrome cookie management

54 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.12 Internet Explorer cookie management

55 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.13 Internet Explorer cookie store

56 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Cookies (continued) If the user disables cookies in a browser, this type of information will not be available for the web server to use. – IETF RFC 2109 describes the HTTP state-management system (cookies) and specifies several specific cookie functions to be enabled in browsers, specifically: The ability to turn on and off cookie usage An indicator as to whether cookies are in use A means of specifying cookie domain values and lifetimes

57 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Browser Plug-ins Plug-ins are small application programs that increase a browser’s ability to handle new data types and add new functionality. – Until recently, plug-ins have had a remarkable safety record. – As Flash-based content has grown more popular, crackers have examined the Flash plug-ins and software, determined vulnerabilities, and developed exploit code to use against the Flash protocol. – The death of Flash is on the horizon.

58 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Figure 17.14 Add-ons for Internet Explorer

59 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Malicious Add-ons Add-ons are pieces of code that are distributed to allow additional functionality to be added to an existing program. – A browser helper object (BHO) has unrestricted access to the Internet Explorer event model; it can capture keystrokes. – Other programs can have addons that utilize the permissions given the master program. – Understand the level of interaction risk they pose. – Unless signed by a trusted authority using Authenticode, ActiveX content should not be allowed in browsers, as the nature of the code changes can present significant risk.

60 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Signed Applets Code signing was an attempt to bring the security of shrink-wrapped software to software downloaded from the Internet. – A signed applet can be hijacked as easily as a graphic or any other file. – Two ways an attacker could hijack a signed control are by inline access or by copying the file in its entirety and republishing it. – Inlining is using an embedded control from another site with or without the other site’s permission.

61 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Signed Applets (continued) The primary security concern comes from how the control is used. A cracker may be able to use a control in an unintended fashion, resulting in file loss or buffer overflow—conditions that weaken a system and can allow exploitation of other vulnerabilities. These are concerns not addressed simply by signing a control or applet.

62 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Application-Based Weaknesses The application software written to run on servers and serve up the content for users is also a target. Attacking web-based applications has proven to be a lucrative venture for several reasons. – The target is a rich environment. – Building these custom applications to high levels of security is a difficult if not impossible feat. The same programmatic errors that plague operating systems can cause havoc with web-based systems.

63 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Session Hijacking It is important to securely implement the setup and teardown of a session. There are numerous methods of session hijacking: – Man-in-the-middle attacks, side-jacking, browser takeovers are examples. – Side-jacking uses packet sniffing to steal a session cookie. Securing only the logon process and then switching back to standard HTTP can enable this attack. Defense is to use encryption correctly and to log out of and close applications when done.

64 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Client-Side Attacks The popularity and the utility of this interface have made the web browser a prime target for attackers to gain access and control over a system. A wide variety of attacks can occur via a browser, typically resulting from a failure to properly validate input before use. Unvalidated input can result in a series of injection attacks, header manipulation, and other forms of attack.

65 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Client-Side Attacks (continued) A cross-site scripting attack is a code injection attack in which an attacker sends code in response to an input request. – This code is then rendered by the web server, resulting in the execution of the code by the web server. – Cross-site scripting attacks take advantage of a few common elements in web-based systems.

66 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Client-Side Attacks (continued) When HTTP is being dynamically generated through the use of user inputs, unvalidated inputs can give attackers an opportunity to change HTTP elements. – When user-supplied information is used in a header, it is possible to create a variety of attacks such as: Cache poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation, and open redirect.

67 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Web 2.0 and Security Web 2.0 is a relatively new phenomenon that has swept the Internet. – It is a collection of technologies that is designed to make web sites more useful for users. New languages and protocols, such as AJAX, to user- provided content, to social networking sites and user- created mash-ups – There is a wide range of security issues associated with this new level of deployed functionality.

68 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Web 2.0 and Security (continued) The new languages and protocols add significant layers of complexity to a web site’s design, and errors can have significant consequences. Early efforts by Google to add Web 2.0 functionality to its applications created holes that allowed hackers access to a logged-in user’s Gmail account and password. The foundations of security apply the same way in Web 2.0 as they do elsewhere.

69 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Chapter Summary Describe the functioning of the SSL/TLS protocol suite. Explain web applications, plug-ins, and associated security issues. Describe secure file transfer options. Explain directory usage for data retrieval. Explain scripting and other Internet functions that present security concerns.

70 Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Chapter Summary (continued) Use cookies to maintain parameters between web pages. Examine web-based application security issues.

Download ppt "Principles of Computer Security, Fourth Edition Copyright © 2016 by McGraw-Hill Education. All rights reserved. Web Components Chapter 17."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Lesson 17-Web Components. Background  The World Wide Web was invented in 1990 by Tim Berners- Lee to give physicists a convenient method of exchanging.

Lesson 17-Web Components. Background  The World Wide Web was invented in 1990 by Tim Berners- Lee to give physicists a convenient method of exchanging.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Introduction to Web Database Processing

Introduction to Web Database Processing
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Similar presentations

Ads by Google